I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

to monitor, assess and defend their networks and information systems. Setting up a SOC can take a significant amount of time and effort, so it's important to do it right.

It's tempting to jump right into selecting tools for the SOC and creating procedures. However, taking the time to first carefully plan and design your SOC will ensure it performs the right functions and that its processes are effective and efficient.

There is no one right way to set up a SOC. Each SOC must be organized to meet the needs and priorities of its organization. Still, there are core principles that all organizations should follow when setting up their SOC.

Charter

Senior management support when setting up a SOC is very important. Create a formal, documented charter that is annually approved by senior management.

The charter should describe the mission of the SOC and its primary responsibilities, its scope -- for example, will the SOC monitor all of an organization's information systems and networks or just a subset? -- and it should authorize the SOC to respond to cybersecurity incidents. The charter provides a clear guide for both SOC employees and others in the organization who will interact with the SOC, plus shows that the SOC is supported by senior management.

Services definition

SOCs can provide many different services for an organization. It's critical that an organization formally define what services a SOC will and will not provide. Typical SOC services include:

monitoring and triage of user reports and data feeds to identify cybersecurity incidents;

The type and amount of services a SOC provides are highly dependent on the budget allocated for the SOC, as well as the overall organization and the maturity of the organization's cybersecurity team. For instance, an organization may want to have another person or team perform vulnerability management or forensics.

SOCs typically evolve and mature over time, so services can be modified and added.

Key performance indicators

An organization should have formal, documented SOC key performance indicators (KPIs). KPIs are important because they help a SOC stay focused on its responsibilities, help ensure that SOC processes stay aligned with the overall objectives of the organization and identify SOC progress and areas that need improvement.

Typical SOC KPIs include:

average incident detection time;

average incident response time;

event and ticket queue backlog -- the number of SOC tickets not addressed within the expected time;

first call resolution -- percentage of time first calls to SOC were resolved;

first call escalation -- percentage of time first calls to SOC were escalated;

headcount to incident ratio -- average number of incidents handled by SOC employees; and

headcount to ticket ratio -- average number of tickets handled by SOC employees.

SOC roles

When setting up a SOC, an organization must define types of employees and their operational hours, such as 8/5 or 24/7. There should always be at least two people in a SOC, and there should be a clear hand off of information and incident status when shifts change.

Tier 2 -- incident responder. This team member provides initial response to incidents identified by tier 1 employees. They escalate to and coordinate with non-SOC employees, such as internal subject matter experts (SMEs) and third parties, as appropriate.

Tier 3 -- SME or hunter. This type of employee has significant experience with cybersecurity incident response and will often lead an organization's response to complex incidents. When not doing incident response, this employee proactively hunts for suspicious or malicious behavior on information systems and networks.

Many SOCs start with tier 1 and 2 employees and, as they mature from being reactive to being proactive, bring in tier 3 employees.

Data collection

A key responsibility of a SOC is to collect data, so it's critical to decide what data will be collected from what sources and how such data will be collected -- what format and via what protocols. SOC staff should work closely with information system and network SMEs to identify types of events and how they are logged. The goal is for the SOC to consistently receive alerts of significant events without being drowned in data. Typical sources of data include:

Most of the above sources use common, well-known formats for event logging, such as syslog or Windows event log. The NetFlow protocol can be used to monitor network traffic.

Once an organization has defined the data its SOC will collect, it can create the requirements for its SOC data collection tools.

A SOC can be a valuable part of your organization's cybersecurity strategy. Follow the above recommendations when creating and setting up a SOC to ensure that it is performing the right tasks and effectively protecting your organization.

Join the conversation

1 comment

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.